Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe
Resource
win10v2004-20241007-en
General
-
Target
69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe
-
Size
478KB
-
MD5
c985ba4b859c890f3048153634c9e437
-
SHA1
51492634461d3045635397dc24251b7eb9bc0f44
-
SHA256
69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883
-
SHA512
4fd5ca114f93a53bad4268f639504120b6701141ac5be0ac027195ead8588ad04e9460143a51a098ac73987b3eb5986808419a053eecbf6b089a8afaf50e292d
-
SSDEEP
12288:CMrNy90rKYQ1Vxoq4aI692wFfvTFnKcTbB6:ryoKFWqFLBKcg
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/652-15-0x00000000049F0000-0x0000000004A0A000-memory.dmp healer behavioral1/memory/652-18-0x0000000005080000-0x0000000005098000-memory.dmp healer behavioral1/memory/652-34-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-46-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-45-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-42-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-40-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-38-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-36-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-24-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-22-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-20-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-19-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-32-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-30-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-28-0x0000000005080000-0x0000000005092000-memory.dmp healer behavioral1/memory/652-26-0x0000000005080000-0x0000000005092000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k7002066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k7002066.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k7002066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k7002066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k7002066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k7002066.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b60-54.dat family_redline behavioral1/memory/1512-56-0x0000000000090000-0x00000000000BE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1148 y4054976.exe 652 k7002066.exe 1512 l8054180.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k7002066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k7002066.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y4054976.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4952 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y4054976.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k7002066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l8054180.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 652 k7002066.exe 652 k7002066.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 652 k7002066.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2788 wrote to memory of 1148 2788 69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe 86 PID 2788 wrote to memory of 1148 2788 69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe 86 PID 2788 wrote to memory of 1148 2788 69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe 86 PID 1148 wrote to memory of 652 1148 y4054976.exe 87 PID 1148 wrote to memory of 652 1148 y4054976.exe 87 PID 1148 wrote to memory of 652 1148 y4054976.exe 87 PID 1148 wrote to memory of 1512 1148 y4054976.exe 92 PID 1148 wrote to memory of 1512 1148 y4054976.exe 92 PID 1148 wrote to memory of 1512 1148 y4054976.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe"C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4952
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD56d15e00817aa20f7bf8f3541e8433ef8
SHA1094621e968a28200b92530e529ed0465538a8898
SHA256e45f45d2f0de02960286060a317b613de93644b28a39b6dce8542bc305db91db
SHA51257c36eb8278f980b3e34a11d5379cf005bae1bae35039a3ec2bb6c0977ba5358868fd9766073e2a30ee05661d88fad0285682192123a030e2079c3209447f4a2
-
Filesize
182KB
MD519a88f76160979bf1b4e0142c16e252f
SHA1c48d549ef2248795e2921790e209ff4d53354c5b
SHA2566ffc768ddae33b68433997d71f8e32804942e3a2d4f19bebe3553b0c9ce08b00
SHA51236fd1564b93f0dc73809ac5e4963766986932394fed9e0c33d8216132c8947ea560042ac21ff452298e5147b0b2513f1cbac6e7db1fe243d07f1e131c027a757
-
Filesize
168KB
MD5552d1669d62cbb55067b5cd95e6f8180
SHA110459cfb70045704f86f107e4e90a160a4276733
SHA256ea495e75d19e92b6402f6555707710badc2ca3e4d8dfb73ef15b8d12cd23db4b
SHA512492bac6745f3341e00f10cb63edd1bec548c12739de3988ef08fffd78ac3c9b71a0f4d7c339d926dc13e35b191b6f16eb7684b30a02b1d9c7605b2b037790e6d